In our presentation at CODE BLUE last year, we called attention to the threat regarding tokyo.2020.TLD, tokyo2.020.TLD, tokyo20.20.TLD, tokyo202.0.TLD (TLD is an arbitrary Top-Level Domain). Many numeric domains which do not depend on candidate sites of the Olympic Games were registered long before Tokyo stood as a candidate for the Olympic Games, then subdomains of the numeric domains were abused for impersonating "tokyo2020". Most of the domains had been parked and low risk. However, we were fearful of the scenario of changing the parked domains to malicious ones during the Olympic Games Tokyo 2020. We had observed the domains for half a year, then continued to observe during the Olympic Games Tokyo 2020, as the result, fortunately, we did not detect serious threats as far as we observed.
On the other hand, we came to identify potential threats based on in-depth analysis of subdomains not registered in WHOIS or TLD zone files. Recently, the abuse of subdomains for impersonating URLs of brand domains in phishing stands out since domain owners can operate any strings as subdomains without any limitation from registrars. Under this situation, we identified the potential threats regarding combinations of event and brand abuse. In short, brand domains are abused like google.com.2020.TLD and yahoo.com.2020.TLD in a normal time, and ticket.tokyo.2020.TLD is abused during the event. We investigated upcoming Olympic Games like "beijing2022" and "paris2024". There are no footprints regarding abuse of the Olympic Games. However, we confirmed brand abuse in relation to "2022" and "2024".
In this presentation, based on our follow-up evaluation regarding tokyo2020 similar domains which were evaluation targets last year, we will report pre-event evaluation, actual observation, post-event evaluation of the Olympic Games Tokyo 2020. In addition, we will discuss future potential threats and its countermeasures based on in-depth analysis of subdomains.
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
[CB21] Were "2020" Subdomains Abused Actually? - Mining the Real Threat Hidden in Subdomains by Tsuyoshi Taniguchi
1. Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Were "2020" Subdomains Abused Actually?
- Mining the Real Threat Hidden
in Subdomains
0
CODE BLUE 2021
(October 20th, 2021)
FUJITSU SYSTEM INTEGRATION LABORATORIES LTD.
Tsuyoshi TANIGUCHI
2. Tsuyoshi TANIGUCHI
◼ Fujitsu System Integration Laboratories Researcher, Ph.D.
◼ Mar. 2008 - Hokkaido University Ph.D. (computer science)
◼ Apr. 2008 - Researcher, FUJITSU
◼ Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES
LTD
◼ Speaker
CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
CODE BLUE 2018, CODE BLUE 2020
Black Hat Asia 2021, ACM ASIACCS 2021
International collaboration with Prof. Doerr (Hasso Plattner Institute)
https://www.youtube.com/watch?v=y8Z9KnL8s8s (Presentation in Black Hat Asia 2021)
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
1
3. Acknowledgment
◼ Christian Doerr, Ph.D.
◼ Professor Cybersecurity + Enterprise Security
Hasso Plattner Institute for Digital Engineering
◼ The list of domain names
◼ The domain names are gathered from the zone files
of the various TLD operators directly, with whom Prof.
Doerr has an agreement
◼ As of Feb. 15, 2021
◼ To check registrations of numeric domain
names
https://hpi.de/forschung/fachgebiete/cybersecurity-enterprise-security.html
https://www.cyber-threat-intelligence.com/people/christian/
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2
4. Timeline
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2005 2010 2013 2020 2021
Apr. 2006
Tokyo
Stood as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Stood as a candidate
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Jul. 21 to Aug. 8
Postponed
CODE BLUE 2020 (Oct. 31, 2020)
Called attention to “2020” subdomains
CODE BLUE 2021 (Oct. 20, 2021)
Were "2020" Subdomains Abused
Actually?
3
5. When Could Suspicious (Sub)domains be Abused?
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2005 2010 2013 2020 2021
tokyo2016
Typosquatting
tokyo2020
Typosquatting
tokyo2021
Typosquatting
Were “2020” subdomains abused for impersonating tokyo2020?
Typosquatting:the method for targeting typos by users when they directly input URLs
Apr. 2006
Tokyo
Stood as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Stood as a candidate
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Jul. 21 to Aug. 8
Postponed
4
6. Mining the Real Threat Hidden in Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2005 2010 2013 2020 2021
“2020” subdomains
Apr. 2006
Tokyo
Stand as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Stand as a candidate
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
Ju. 21 to Aug. 8
Postpone
Mining the real threat hidden in subdomains
What were hidden in subdomains?
5
7. Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
CODE BLUE 2020: “2020” Subdomain Alert
tokyo.2020.TLD
tokyo2.020.TLD
tokyo20.20.TLD
tokyo202.0.TLD
“2020” domains: 2020.TLD, 020.TLD, 20.TLD, 0.TLD
“2020” subdomains:
• Explainable diagnosis: mid-to-long term
• Registered numeric domains long before Tokyo
stood as a candidate for Olympic Games
• Impersonate Tokyo by abusing subdomains
• Can impersonate Istanbul or Madrid
• Have not observed name resolutions yet
• Would these subdomains be abused
actually?
6
8. Subdomain Abuse
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
https://smbc-card.com.●●●●.com/
(Jul. 5, Phishing by impersonating Sumitomo Mitsui Card Company)
https://www.visa.co.jp.●●●●.●●●●/
(Jul. 6, phishing by impersonating VISA card)
Subdomain:
abuse legitimate URLs
Domain:anything is OK
Du, Kun, et al. "TL; DR hazard: A comprehensive study of levelsquatting scams." International
Conference on Security and Privacy in Communication Systems. Springer, Cham, 2019.
From emergency information by Council of Anti-Phishing Japan
Subdomain abuse based
on levelsquatting
• Can operate any
strings as subdomains
without any limitation
• Show a part of URLs
in a case of narrow
display space in smart
phones
Subdomain SLD TLD
7
9. Worried Scenario in tokyo2020
◼ Change of parked domains to malicious use during tokyo2020
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
1% of 6 million domains
(Mar. to Sep. 2020,according to the report by paloalto)
Parked domain
(advertisement display,
low risk)
C&C, malware distribution,
phishing
(malicious use,worst case)
Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee
https://unit42.paloaltonetworks.com/domain-parking/
8
10. Parked Domain
◼ Parking Sensor [Thomas Vissers et al., NDSS 2015]
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain Owner
Parking Services
Advertisement
Syndicator
Advertiser
$
$
$
$
Domain
NS
Parking Page
AD
AD
AD
AD
(1)
(2)
(3)
(4)
Related links
Link
Link
Link
Link
9
11. Parked Domain: How to Confirm
◼ Parking Sensor: name servers or CNAME of 15 parking service providers
◼ Not many: the paper was published in 2015
◼ How to confirm
◼ Directly confirm the parked domains through browser
◼ Check the name server related to the above domain
◼ If the name server is not identified, then search the guidance of setting the nameserver
as parked domains by the parking service providers
◼ Add the name server to a list of parking service providers if the guidance is confirmed
◼ About 20 parking service providers were added to my checking list
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Provider Name server
SedoParking sedoparking.com
Parkingcrew parkingcrew.net
Bodis bodis.com
… …
Attention: the parking service itself is legitimate
10
12. Parked Domain: How to Detect
1. dig command with NS option
◼ In a case where corresponding domain responded
◼ Extension function from my system in CODE BLUE 2018
2. Passive DNS NS record
◼ In a case where previous name resolutions of the corresponding domains
have occurred
3. WHOIS
◼ In a case where the registration records of the corresponding domain exist
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
11
13. How to Observe and Evaluate
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Pre-event evaluation
(Feb. 18 to Jul. 19)
Actual observation
(Jul. 21 to Aug. 8)
Post-event evaluation
(Aug. 9 to Aug. 19)
• Previous Olympic Games
• rio2016
• pyeongchang2018
• Other events
• US presidential election
• The status of response
• Periodic response
• First and last seen
• Parked domain
• Response check based on
Passive DNS records
• Access http though browser
• The change of response
• Future Olympic Games
• beijing2022
• paris2024
12
14. Pre-Event Evaluation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Pre-event evaluation
(Feb. 18 to Jul. 19)
Actual observation
(Jul. 21 to Aug. 8)
Post-event evaluation
(Aug. 9 to Aug. 19)
“2016” (172 registrations) : 8 subdomains
16.com, 2016.com, 2016.info
rio.2016.com, …
“2018” (283 registrations) : 2 subdomains
18.com, 2018.com
pyeongchang.2018.com, …
US presidential election (“2020” domains): 61 subdomains
020.biz, 020.online, 020.org, 020.us, 20.com, 2020.com,
2020.house, 2020.win, 2020.us
trump.2020.com, biden.2020.com, trumpreelection2.020.org,
electionday2.020.org, …
A few abuses of
previous Olympic
Games
“2020”: trump, biden,
obama, election, vote
• Previous Olympic
Games
• rio2016
• pyeongchang2018
• Other events
• US presidential
election
• The status of response
• Periodic response
• First and last seen
• Parked domain
13
15. Pre-Event Evaluation: Hypothesis and Verification
◼ If someone abuses “2020” subdomains,
◼ then the subdomains start responding as tokyo2020 approaches
◼ Domain owners can operate subdomains anytime without any limitation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
13:00
everyday
tokyo.2020.TLD
tokyo2.020.TLD
tokyo20.20.TLD
tokyo202.0.TLD
Public caching DNS
Response?
14
16. Pre-Event Evaluation: Periodic Response
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
About 50 subdomains were mapped to google cloud from Apr. 9
-> finish responding on May 9
15
17. Relation Between Parked Domains and Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
tokyo.2020.TLD
x.x.x.x
It seemed that the subdomains responded,
but …
16
18. Relation Between Parked Domains and Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
tokyo.2020.TLD
x.x.x.x
*.2020.TLD
(parked)
codeblue.2020.TLD
x.x.x.x
hogehoge.2020.TLD
x.x.x.x
DNS record
wildcard function
-> Any subdomains
responded for showing
the same ad page
17
19. Relation Between Parked Domains and Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
tokyo.2020.TLD
x.x.x.x
*.2020.TLD
(parked)
Sensor
tokyo.2020.TLD IN A x.x.x.x
First Seen: ….
Last Seen: …
Passive DNS records
-> Anonymization of
source information
Taniguchi
-> finished on Jul. 7
Victims
x.x.x.x
tokyo.2020.TLD
18
20. Actual Observation: Target
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
tokyo2020
typosquatting
tokyo2021
“2020”subdomains
187
82
203 -> 605
(402 addition)
tokyo-2020.TLD, tokio2020.TLD
tokoy2020.TLD, tokyo2020.TLD
tokyo.2020.TLD, tokyo2.020.TLD
tokyo20.20.TLD, tokyo202.0.TLD
Response status (pre-event evaluation as of Jul. 19)
Response
(Passive DNS)
Parked domains Malicious
Typosquatting 32% (88/269) 34% (30/88) 8% (7/88)
“2020” subdomains 15% (91/605) 54% (49/91) 3% (3/91)
Malicious: 1 or more vendors judged malicious (phishing) or suspicious in VirusTotal
19
21. tokyo2020 Typosquatting tokyo2021
Pre-Evaluation First and Last Seen
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Sudden increase of
tokyo2021 registrations
soon after the
announcement of the
postponement of
tokyo2020
Around 30% responses of
tokyo2020 typosquatting
First
Seen
Last
Seen
20
22. “2020” Subdomains
Pre-Evaluation First and Last Seen
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Jan. 28: started querying
Jul. 7: finished querying
tokyo202.0.org: 2019/2/4, 2020/2/2
tokyo20.20.org: 2019/5/30, 2019/11/26
tokyo20.20.com: 2019/5/30
tokyo2.020.org: 2020/2/2
First
Seen
Last
Seen
21
23. Actual Observation, Post-Event Evaluation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Pre-event evaluation
(Feb. 18 to Jul. 19)
Actual observation
(Jul. 21 to Aug. 8)
Post-event evaluation
(Aug. 9 to Aug. 19)
• Response check based on
Passive DNS records
• Access http though browser
• The change of response
• Future Olympic Games
• beijing2022
• paris2024
22
24. tokyo2020 Typosquatting tokyo2021
Actual Observation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Stood out name
resolutions near
Opening or
Closing
ceremony
23
25. “2020” Subdomain
Actual Observation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Jul. 7: name resolution for periodic
response (by Taniguchi) Jul. 28:
ticket.tokyo2.020.org
ticket.tokyo20.20.org
24
26. Actual Observation, Post-Event Evaluation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Pre-event evaluation
(Feb. 18 to Jul. 19)
Actual observation
(Jul. 21 to Aug. 8)
Post-event evaluation
(Aug. 9 to Aug. 19)
Response (Jul. 19) Response (Aug. 9)
Typosquatting 32% (88/269) 35% (94/269)
“2020” subdomains 15% (91/605) 0.5% (3/605)
tokyo.2020.shop
tokyo2.020.org, ticket.tokyo2.020.org
tokyo20.20.org, ticket.tokyo20.20.org
“2020” subdomains:a few tokyo-related subdomains,
but many other subdomains
“2022”, “2024”:
only query by me
Subdomain follow-up
evaluation
Typosquatting: could observe responses, but did not observe serious threat
25
27. Mining the Real Threat Hidden in Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
2005 2010 2013 2020 2021
“2020” subdomains
Apr. 2006
Tokyo
Stand as a candidate
Oct. 2009
Rio de Janeiro
Jul. 2011
Tokyo
Stand as a candidate
Sep. 2013
Tokyo
Original event days
Jul. 22 to Aug. 9
Actual event days
7/21 – 8/8
Postpone
Mining the real threat hidden in subdomains
What were hidden in subdomains?
26
28. Subdomain
◼ A domain is divided into subdomains by purpose or by use
◼ Ex. yahoo.co.jp
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
.yahoo.co.jp
.yahoo.co.jp
.yahoo.co.jp
.yahoo.co.jp
shopping
auctions
weather
news
shopping
auction
weather
news
27
29. How to Search Subdomains (1/2)
◼ FARSIGHT DNSDB API VERSION 1 DOCUMENTATION
◼ https://docs.dnsdb.info/dnsdb-api/
◼ I have not used Version 2 yet
◼ 2. Lookup all RRsets whose owner name ends in farsightsecurity.com,of
type NS, in the farsightsecurity.com zone
◼ curl -i -H 'Accept: text/plain' -H "X-API-Key: $DNSDB_API_KEY"
"https://api.dnsdb.info/lookup/rrset/name/*.farsightsecurity.com/ns/farsightsecurity.co
m"
Based on the above API, wildcard function can collect all records
◼ -> curl -i -H 'Accept: text/plain' -H "X-API-Key: $DNSDB_API_KEY"
"https://api.dnsdb.info/lookup/rrset/name/*.domain.com?limit=1000000"
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
28
30. How to Search Subdomains (2/2)
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
domain.com IN A x.x.x.x
IN NS ns1.domain.com
domain.com
.domain.com IN A x.x.x.x
subdomain1
.domain.com IN A x.x.x.x
subdomain2
ns1 .domain.com IN A y.y.y.y
Attention: NOT capture
A records of name servers
Capture strings other
than www before SLD
A case of *.domain.com
29
31. The Response Status of Subdomains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Subdomain No subdomain
tokyo2020 typo 46% (84/183) 54% (99/183)
tokyo2021 11% (8/75) 89% (67/75)
“2020” subdomains 61% (357/583) 39% (226/583)
◼ The histories of name resolutions of subdomains are not always observed
◼ Domain owners operate subdomains
◼ Someone queries for the subdomains shop, booking, ticket,
myinfo stood out during
tokyo2020
ticket.tokoy2020.org
myinfo.tokoy2020.org
shop.toko.2020.com
booking.toko.2020.com
Around 10%: over 100 subdomains
In the maximum case: over 10,000 subdomains, not related to tokyo2020
No strategic operations
based on ad hoc registrations
Based on directly checking, I noticed many brands
30
32. Brand Abuse: How to Detect
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
.12.com IN A x.x.x.x
mail.yahoo
.12.com IN A x.x.x.x
facebook
Brand domains from Alexa
Top 1,000
SLD list
Delete duplication of SLD
5 or more characters
(to avoid detecting many random strings)
Levelsquatting: legitimate URLs
-> rarely detect
.12.com IN A x.x.x.x
archive
Substring
matching
.12.com IN A x.x.x.x
www.google
31
33. Brand Abuse: Analysis Target
◼ Target: “2010”, “2011”, …, “2024” subdomains
◼ Analysis of “Olympic year” -> concluded an in-depth analysis of brand abuse of
numeric domains
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Domain registration 3,783
Target domains 3,548
Subdomains 1,529,678
Domains (brand abuse) 288
Subdomains (brand abuse) 3,252
Parked domains 142
Malicious judgement 39
8.12% (For target domains)
0.21% (For all subdomains)
49.31% (For brand abuse)
13.54% (For brand abuse)
Passive DNS records exists
32
34. Brand Abuse: Summary
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Rank Abused brand Domain Abused TLD
1 google (1080) 14.net (947) .com (38)
2 yahoo (376) 12.com (352) .org (24)
3 facebook (240) 20.com (160) .se (15)
4 wordpress (106) 0.io (93) .net (13)
5 youtube (67) 16.com (93) .app (11)
Malicious in VirusTotal
Top-30 Malicious
judgement:9/30 (30%)
Most of google abuse in
subdomains of 14.net
The number of
TLD: 116
33
35. Brand Abuse: “2016”, “2017”, …,“2024”
◼ 2016: Rio, 2018: PyeongChang, 2020: Tokyo, 2022: Beijing, 2024: Paris
◼ 2017, 2019, 2021, 2023: not related to Olympic Games
◼ Similar abuse status
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
“2016” “2017” “2018” “2019” “2020” “2021” “2022” “2023” “2024”
1 yahoo google facebook netflix google microsoft yahoo yahoo bet365
2 facebook verizon wordpress google yahoo wordpress verizon youtube wordpress
3 google india yahoo instagram bet365 google wordpress google google
4 wordpress wordpress youtube yahoo wordpress youtube facebook wordpress business
5
instagram apple pornhub facebook amazon github apple apple twitch
facebook xvideos
34
37. Concern: Future Olympic Games
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
api-huffpost.24.com
First Seen: Feb. 7, 2018
Last Seen: Jun. 29, 2018
facebook.24.com
Jun. 6, 2019
Jun. 6, 2019
weather-api.24.com
Apr. 1, 2020
Aug. 21, 2021
paris20.24.com
? ?, 2024
◼ beijing2022.cn, paris2024.org
◼ Only brand abuses in relation to ”2022” and “2024” as of Aug. 2021
◼ Malicious in VirusTotal: only 24.com
Around 2010: googlesearch.24.com, weather.24.com
From 2018: brand abuse has been observed
Only my query regarding paris20.24.com
◼ Please be careful regarding this potential threat
Paris2024
36
38. How to Guide Users to Undesired Sites
◼ typosquatting or URL click
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
Rarely occur typosquatting of
. (dot)
https://www.tokio2020.com
Directly input URLs in browser
y -> i
Click !
http://www.ticket.tokyo20.20.org
URL click
Phishing e-mail
37
Typo-generation models [Microsoft, Strider Typo-Patrol, 2006]
One-characterdistance, fat finger distance[Long “Taile”, Szurdi,
Janos, et al., 2014]
39. (Hypothetical) Potential Threat: Wildcard Phishing
◼ Phishing e-mail + wildcard subdomains
◼ Divide an e-mail operation into a domain operation
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
WHOIS
Registration: ●●●●.com
*.●●●●.com
facebook.com.●●●●.com
x.x.x.x
Click !
http://www.facebook.com.●●●●.com
Victims
Voluntarily query band
subdomains
Domain operation:wildcard ->
Subdomain queries are hidden
in Passive DNS records
Phishing e-mail
Click !
http://www.google.com.●●●●.com
google.com.●●●●.com
x.x.x.x
WHOIS: Not footprints
of brand abuse
38
40. Countermeasure
◼ Blocking policy (in organizational network)
◼ Block numeric domains other than legitimate top sites (whitelist):
Ex (whitelist). 360.cn, 6.cn, 163.com, 1688.com (Alibaba from china), 58.com
◼ Block parked numeric domains during events
Ex. “2020” parked domains are blocked during tokyo2020
◼ Block a particular string in subdomains of the numeric domain
ticket, myinfo, shop, booking, brand domains
◼ Regulation of subdomain operations (by DNS registrar, registry)
◼ Do not click doubtful URLs in suspicious e-mail or SMS (end
users)
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
39
41. Summary
◼ Observation of worried scenario in tokyo2020
◼ Did not observe in pre-event evaluation and actual observation
◼ ticket.tokyo2.020.org,ticket.tokyo20.20.org
◼ Threat hidden in subdomains
◼ Brand abuse
◼ And abuse of string of Olympic Games
◼ Contributions
◼ Parked domains: not judged as malicious by security vendors
◼ Subdomains: difficultto analyze without special techniques
◼ Mining potentialthreats hidden in subdomains of parkeddomains
Adversaries can freely abuse brand domainsby abusing subdomainswith DNS wildcard
function
Brand Abuse + Event Abuse: continuousthreat regarding the change of parked domains to
malicioususe
Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED
40
42. Copy right 2021 FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED